Author Topic: Security Fail  (Read 1790 times)

0 Members and 2 Guests are viewing this topic.

alexwallace94@gmail.com

  • Guest
Security Fail
« on: September 14, 2014, 02:48:27 AM »
Have run into several security flaws.

1. Users are allowed to delete devices from the account (Causing data loss) WITHOUT ENTERING A PASSWORD FIRST.
2. I am not able to remotely log off all devices from the account. (Sometimes a user may forget to log out, and I cannot force them to log off)
3. Users are able to Wipe my device (without my permission, if left alone for a few minutes or if the account gets hacked.)

Today, my friend was accessing my account, while I was showing off AVAST ANTI-THEFT and misread something, thinking it was his, and immediately without a thought, deleted my device from the account, deleting all of my backed up files (at least from the Avast side) and I had to re-setup the device.
Right away, I said something to him, he apologized a thousand times, but this accident could have been prevented, had Avast required him to enter a password or at least a very short 4-7 digit pin first!

Offline OndraM

  • Moderator
  • Full Member
  • *
  • Posts: 147
Re: Security Fail
« Reply #1 on: September 15, 2014, 12:45:15 PM »
Hi,

thanks for the suggestions. We will discuss it with our product management, but I see why we should not add this confirmation password.

Previously we have allowed only one concurrent user session, but removed it later due to complains. "Deauthorize" button for all other sessions in settings is definitely a possibility.

Anyway always remember to logout from any of your accounts (avast or other). 

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Security Fail
« Reply #2 on: September 15, 2014, 01:22:47 PM »
Why not a timed session that expires? Will mitigate the issue.
The best things in life are free.